Carl Weinschenk spoke with Avishai Wool, CTO, AlgoSec.

Weinschenk: How important is the relationship between compliance and how a firewall is managed?
Wool: Recent regulatory developments put firewalls in the middle of compliance reporting. Specifically, the Payment Card Industry Data Security Standard (PCI DSS) has whole sections of what you are supposed to do and not do on firewalls, how to configure them, what traffic to allow and not allow, etc. Anybody who handles payment card information is subject to requirements or will be soon. All these organizations need firewalls and need to report what they do for change control, risk [and other things].

Weinschenk: We know about Sarbanes-Oxley and PCI. Are there many others?
Wool: There [also] is ISO 27001, which used to be called ISO 17799. It’s more common in Europe. It came out of a British standard that is all about information security. Firewalls are a central part of that as well. I think it is elective in the U.S., used on an industry-by-industry basis. Certainly in Europe, the standard is very widespread. PCI of course is global. We have customers in Australia, Germany, Canada and the US. Everyone is interested, every sees that it is relevant. Each type of regulation has its own ways of doing things. That adds to the level of effort enterprises need to put into compliance.

Weinschenk: Are there major trends or themes in all this?
Wool: There are two major themes of the regulations. One is that there is a big thrust about controlling change. That comes in different flavors, such as process and approvals, documents, audits and changes. Basically, it is demonstrating from an enterprise point of view that you have control of the change process of subsystems, including firewalls, and that people are following it. The other thrust is managing risk. This has to do with making sure firewalls have a well-understood policy that is documented, that it is following best practices and corporate regulations so obviously bad types of traffic are not let through. If there are exceptions, they have to be understood. Basically, there has to be various organizational processes and awareness around the risk components, particularly firewalls.

Weinschenk: Are people paying attention?
Wool: I think it is becoming more and more of an issue to more and more organizations. A few years ago, it started with Sarbanes-Oxley, which did have specific IT components but did not have language that specifically targeted firewalls. It was applied to firewalls in the field by auditors. This was focused on the largest corporations that are traded on the American Stock Exchange. That wave is mostly behind us. Most organizations subject to SOX have put in place the system and controls. Those that need to be compliant probably are or are in process of becoming so.

Now we are seeing a new wave of aggressive and much wider sort of companies, driven primarily by the payment card industry. It covers many, many more organizations than those on the stock exchange. It covers public corporations, private companies — any that do payment cards, including international companies. It is becoming much more widespread. In addition, the PCI standard has much more specific lists of decision protocols that are frowned upon and specific network structures that are required. It is much more pinpointed and much less subject to interpretation. I think that this is going to cause quite a bit of work for IT managers and security managers in many more corporations in the next few years.

Previous Page Next Page